The Hacker News — Cyber Security, Hacking, Technology News

Hackers targeted at least 8 ATMs in Russia and stole $800,000 in a single night, but the method used by the intruders remained a complete mystery with CCTV footage just showing a lone culprit walking up to the ATM and collecting cash without even touching the machine.

Even the affected banks could not find any trace of malware on its ATMs or backend network or any sign of an intrusion. The only clue the unnamed bank's specialists found from the ATM's hard drive was — two files containing malware logs.

The log files included the two process strings containing the phrases: "Take the Money Bitch!" and "Dispense Success."

This small clue was enough for the researchers from the Russian security firm Kaspersky, who have been investigating the ATM heists, to find malware samples related to the ATM attack.

In February, Kaspersky Labs reported that attackers managed to hit over 140 enterprises, including banks, telecoms, and government organizations, in the US, Europe and elsewhere with the 'Fileless malware,' but provided few details about the attacks.

According to the researchers, the attacks against banks were carried out using a Fileless malware that resides solely in the memory (RAM) of the infected ATMs, rather than on the hard drive.

Now during the Kaspersky Security Analyst Summit in St. Maarten on Monday, security researchers Sergey Golovanov and Igor Soumenkov delved into the ATM hacks that targeted two Russian banks, describing how the attackers used the fileless malware to gain a strong foothold into bank's systems and cash out, ThreatPost reports.

Mysterious ATM Hack Uncovered by Researchers

Dubbed ATMitch, the malware — previously spotted in the wild in Kazakhstan and Russia — is remotely installed and executed on ATMs via its remote administration module, which gives hackers the ability to form an SSH tunnel, deploy the malware, and then sending the command to the ATM to dispense cash.

Since Fileless malware uses the existing legitimate tools on a machine so that no malware gets installed on the system, the ATM treats the malicious code as legitimate software, allowing remote operators to send the command at the time when their associates are present on the infected ATM to pick up the money.

This ATM theft takes just a few seconds to be completed without the operator physically going near the machine. Once the ATM has been emptied, the operator 'signs off,' leaving a very little trace, if any, of the malware.

However, this remote attack is possible only if an attacker tunnels in through the bank's back-end network, a process which required far more sophisticated network intrusion skills.

A Very Precise Form of Physical Penetration

Since opening the ATM's panel directly could also trigger an alarm, attackers switched to a very precise form of physical penetration: Drilling a golf-ball sized hole in ATM's front panel to gain direct access to the cash dispenser panel using a serial distributed control (SDC RS485 standard) wire.

This method was revealed when Golovanov and Soumenkov were able to reverse engineer the ATM attack after police arrested a man dressed as a construction worker while he was drilling into an ATM to inject malicious commands in the middle of the day to trigger the machine’s cash dispenser.

The suspect was arrested with a laptop, cables, and a small box. Although the researchers did not name the affected ATM manufacturer or the banks, they warn that ATM burglars have already used the ATM drill attack across Russia and Europe.

In fact, this technique also affects ATMs around the world, leaving them vulnerable to having their cash drawn out in a matter of minutes.

Currently, the group or country behind these ATM hacks is unknown, but coding present in the attack contains references to the Russian language, and the tactics, techniques, and procedures bear a resemblance to those used by bank-robbing gangs Carbanak and GCMAN.

Fileless malware attacks are becoming more frequent. Just last month, researchers found a new fileless malware, dubbed DNSMessenger, that uses DNS queries to conduct malicious PowerShell commands on compromised computers, making the malware difficult to detect.

Law enforcement authorities from Europe and Russia have arrested five members of an international cyber criminal gang for stealing $3.2 million cash from ATMs using malware.

Three of the suspects, Andrejs Peregudovs (41), of Latvia, Niklae Penkov (34) of Moldova, and Mihail Colibaba (30) of Romania, were arrested in Taiwan by the Taiwanese Criminal Investigation Bureau last summer, have already been sentenced to 5 years in prison for their role in a massive ATM heist operation, involving 22 individuals from 6 countries.

The European-based cyber criminal gang used a variety of different hacking techniques to infect ATMs with malware and force them to dispense cash.

According to Europol that began its investigation in early 2016, the gang used spear-phishing emails containing malicious attachments to target bank employees and penetrate the bank's internal networks.

From there, the cyber crooks then located and hacked into the network of ATMs from the inside, and used a malicious software program to delete almost all traces of their activities.

However, three suspects have already been arrested convicted, one has been arrested by the Romanian National Police, and one arrest has been made by the Belarusian Central Office of the Investigative Committee.

Europol estimates the five arrested suspects caused damages to banks of around $3.2 Million, although in some cases,the stolen money was partially recovered from the criminals after the cashing-out.

The ruling three of them will be deported back to their home countries, when their jail terms will end.

Here's the statement by Steven WILSON, Head of Europol's European CyberCrime Centre (EC3):

"The majority of cyber crimes have an international dimension, taking into account the origins of suspects and places where crimes are committed. Only through a coordinated approach at the global level between law enforcement agencies can we successfully track down the criminal networks behind such large-scale frauds and bring them to justice."

Europol did not provide names of any of the five criminals arrested, but has credited the success of its investigation to international cooperation by police across the world.

Europol's European CyberCrime Centre (EC3) assisted the investigation by organizing operational meetings in Europe and Asia, providing analytical support, as well as analyzing the seized data and equipment.

A Romanian man has been arrested and charged with conspiracy relating to his involvement in a prolific ATM malware campaign.

Emanual Leahu, 30, was arrested in the western city of Bacău, Romania by the London Regional Fraud Team (LRFT) London police run by the City of London Police on Tuesday 20 September, extradited to the United Kingdom last week.

Leahu is believed to be a member of a European ATM hacking gang that stole more than £1.5 Million ($2 Million) from cash machines across the UK in 2014 using ATM malware to bypass security controls.

The gang physically broke into ATMs to directly load malware onto the machines, allowing it to withdraw "large amounts of cash." The malware was good enough to erase itself to hide its tracks, making it difficult to identify the culprit.

Three out of Five Gang Members Arrested

Luckily, due to the gang's carelessness, one of its members was recorded by a hidden ATM surveillance camera, which allowed the police to identify and arrest him.

The gang hit 51 ATMs in standalone public places across the UK, including London, Portsmouth, Bognor Regis, Brighton and Liverpool over the 2014 May Bank Holiday weekend.

This is the third arrest in the case after Grigore Paladi and Teofil Bortos, who were arrested and sentenced in 2014 and 2015 to 5 and 7 years in jail for their roles in robbing vulnerable ATMs.

According to the UK authorities, the gang has five members, with the other two suspects still remain at large in Romania. European arrest warrants have already been issued in their names as well.

Police also ensured bank customers that they are not affected by the theft as the gang's malware only tricked the bank ATMs to release cash, not from customers' accounts.

Global Campaigns to Bust ATM fraudsters

UK Police has recently risen to help international crime fighting efforts dedicated to anti-fraud and cracking down ATM hackers.

"Operating across borders has its challenges, but overseas law enforcement has been extremely co-operative, especially in Romania," LRFT head, detective inspector Matthew Mountford said. "Working together we will continue to ensure that organised criminal gang members have nowhere to hide."

Earlier this year, European police arrested eight members of an international ATM hacking gang who robbed ATMs across Europe and beyond using Tyupkin malware that made them the made millions in cash.

ATM fraudsters have risen in past few years. Just over a month back, the Central Bank of Thailand (BoT) issued a warning to all commercial banks about security flaws in their ATMs that made hackers over 12.29 Million Thailand Baht (over US$346,000).

A few months ago, ATM fraudsters managed to steal ¥1.4 Billion (approx. US$12.7 Million) from some 1,400 ATMs placed in small convenience stores across Japan.